SCIENTIFIC 

REPORTS 




open Factoring 51 and 85 with 8 qubits 



SUBJECT AREAS: 

QUANTUM 
INFORMATION 

QUBITS 



Received 
21 August 201 3 

Accepted 
3 October 2013 

Published 
28 October 2013 



Correspondence and 
requests for materials 
should be addressed to 
M.R.G. (mgeller@uga. 

edu] 



Michael R. Geller & Zhongyuan Zhou 



Department of Physics and Astronomy, University of Georgia, Athens, Georgia 30602, USA. 



We construct simplified quantum circuits for Shor's order-finding algorithm for composites N given by 
products of the Fermat primes 3, 5, 17, 257, and 65537. Such composites, including the previously studied 
case of 15, as well as 51, 85, 771, 1285,4369, ... have the simplifying property that the order of a modulo Nfor 
every base a coprime to N is a power of 2, significantly reducing the usual phase estimation precision 
requirement. Prime factorization of 51 and 85 can be demonstrated with only 8 qubits and a modular 
exponentiation circuit consisting of no more than four CNOT gates. 

Shor's prime factoring algorithm 1 reduces the factorization of a product N = pp' of distinct odd primes p and 
p' to that of finding the order r of a mod N for a randomly chosen base a coprime to N (with 1 < a < N), 
which can be performed efficiently with a quantum computer. The standard implementation 2 factors a fo-bit 
number with 3b qubits using a circuit of depth 0(fo 3 ); alternative modular exponentiation circuits can be used to 
reduce either the space (qubit number) 3 or time 4 requirements. The case N = 15, which has the simplifying 
property that all orders are powers of 2, has been demonstrated experimentally by several groups 2,5-8 . Recent 
experiments have also factored N = 21 9 ' 10 and 128 11 . 

In this paper we consider the application of Shor's algorithm to products of special primes of the form 



Explicitly, 



pk = 2 2 +1 with k = 0, 1, 2, 3, 4. 



p = 3, 5, 17, 257, and 65537. 



(1) 



(2) 



Fermat proposed that numbers of the form 2 2 + 1 for any k = 0, 1,2, (called Fermat numbers) are prime; 
however it is now known that the Fermat numbers with 5 s k £ 32 are not prime, and it is not known whether 
there are additional primes of this form for larger values of k. 
Products of the form 



N = pkpk = (V* + l) (l 1 * + 1) , with k,k'e{0, 1, 2, 3, 4} and k # k' 
= 15, 51, 85, 771, 1285, 4369, 196611, 327685, 1114129, and 16843009 



(3) 



have the special property that the order of a mod Nfor every base a coprime toNis a power of 2. This follows from 
Euler's theorem, 



a <Ky) mo( j y — i ; 



(4) 



where y is a positive integer, (j> (y) is the number of positive integers less than y that are coprime to y, and gcd(a, y) 
= 1. Whenp andp' are odd primes, allpp' — 1 positive integers less thanpp' are coprime Xopp' except for thep — 
1 multiples of p' and thep' — 1 multiples ofp, and these exceptions are distinct, so 



0(PP')=PP'-1-(P-1)-(P'-1) = (P-1)(P'-1)- 
(This result also follows from Euler's product formula.) Thus, 

a <p-W-i) mo d pp' = l. 



(5) 



(6) 



Recall that the order r of a mod JV is the smallest positive integer x satisfying <f mod N = 1; therefore for a 
composite of the form (3), 



0(N) = (p,-l)(p t --l)=2 2 



(7) 
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Figure 1 | Basic quantum circuit for order finding. Here n = 2b and m = 
b, where b = flog 2 N] is the number of bits in N. 

must be a multiple of r. Because r must be an integer, we conclude that 
for any 1 < a < N with gcd(a, N) = 1, r is a power of 2 as well. 

Results 

The standard 2 order-finding circuit is shown in Fig. 1. The first 
register has n qubits and the second has m. The modular exponentia- 
tion operator in Fig. 1 acts on computational basis states as 

\xix 2 ■ ■ ■ x n )<E)\Q- ■ ■ l)->\xix 2 ■ ■■x n )<S)\a x mod N), (8) 



where 



(9) 



After the inverse quantum Fourier transform, measurement of the 
first register is done in the diagonal basis. The probability to observe 
the value 



xe {0, 1, 



2"-!} 



prob(x) = ^ ( 



sin 2 (nrxA/ 2") 
2"A sm 2 (nrx/2") 



(10) 



(11) 



where r is the order and A is the number of distinct values of x such 
that a x mod N has the same value (this is approximately 2"/r). This 
probability distribution has peaks at integer values of x near 

2" 

j x — with j = 0, 1, 



1. 



(12) 



The number of qubits n in the first register is chosen to enable reliable 
extraction of the value of r in (12), which depends on whether or not r 
is a power of 2. In actual applications of Shor's algorithm this will not 
be known, of course, as the point of the quantum algorithm is to 
determine r. In this usual situation, measurement will yield (with 
prob > 4/7t 2 ) an x satisfying 



< — with ;' e {0, 1, 
- 2« 



il- 



ds) 



By choosing n = 2b qubits in the first register, where b = Tlog 2 N~], we 
are guaranteed that jl r will be a (continued fraction) convergent of xl 



2". However, for the family of composites JV=(2 +11(2 +1 



considered here, all bases have orders 



r = 2^ with I e {1, 2, 3, • • • ,4>«}, 



(14) 



A = 



2" 



and the peaks (12) in (11) occur at integral values 

X = 0, 2"- e ,2x2 n - f , ■■■ , (r-l)xr 
Therefore, as long as we have 



n = L 



(15) 
(16) 
(17) 



qubits in the first register we will be able to determine r, possibly after 
a small number of repetitions. The simplest way to extract r from x 
here (assuming x 0) is to simplify the ratio 



x 
2" 



(18) 



down to an irreducible fraction, which will yield both; and r [recall 
(12)] unless they have happen to have a common factor. 

Next we discuss the value of € max (which determines the largest 
order 2 tma ) for a given composite N. We do not have an explicit 
formula for € max . However, when N is a product of distinct odd 
primes, r can be as large as </>(N)/2 (ref. 12), so for an N of the form 
(3) we have the bound [see (7)] 



<2 K 



-1. 



(19) 



For example, in the case oiN = 51 (k = 0,k' = 2), the largest order is 
2 4 = 16, and the upper bound is realized. However for N = 85 (k = 1, 
k! = 2), it is not (the largest order present is 16, not 32). 
The second register stores the values of 



a x modAfe{0,l,- • • ,N-l} 



(20) 



and therefore normally requires b qubits. However, for a given a, only 
r of these values are distinct. Thus we can use fewer than b qubits. 
This simplification, while not essential, has been used in all gate- 
based factoring demonstrations to date. The reduction amounts to 
computing a table of values of a x mod N classically for a given base a, 
constructing a corresponding quantum circuit, and ignoring or elim- 
inating unused qubits in the second register. We note that in addition 
to being unscalable, this method of constructing the modular expo- 
nentiation operator implicitly or explicitly uses the value of the order 
r, i.e., the answer which the quantum computation is supposed to 
determine; we discuss this issue further below. 

In this work we will adopt an equivalent — but perhaps more sys- 
tematic and transparent — modular exponentiation circuit construc- 
tion: We follow the output of a" mod N by a second transformation 



a mod N 
a 2 mod N 

a r ~ l mod N 



(21) 



which maps the r distinct values of a' mod Nto0,l,...,r — l.In(21) 
we assume that 1 < a < N. We refer to this classical pre-processing of 
a* mod N as compression. Compression does not adversely affect the 
operation of the order-finding circuit, but reduces m from b to € max 
in a systematic manner (and generalizes the "full compilation" 
method used in Ref. 6.) 

Any set of r distinct non-negative integers — in any order — could 
be used for the output of the compression map (21). However the 
choice employed here, and indicated in (21), is especially simple 
because it can be compactly written as 

(22) 



a x mod N—*x mod r(a) 
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Figure 2 | Circuit to copy the first register to the second. 



|X n 
|Xi 

|x 2 

Ix n 



Then, after changing the initial state of the second register from 
(00 ■ ■ ■ 1) to (00 ■ ■ ■ 0), we have, instead of (8), the compressed 
modular exponentiation operation 



|*)®|0 - ••())-► mod r) 



(23) 



The operation (23) without the modulo r is just the bit-wise COPY 
shown in Fig. 2 and the effect of the modulo r is to only copy the log 2 r 
least significant bits. 

In conclusion, we require € max qubits in each register, for a total of 
2€ max qubits. € max can either be computed classically or the bound 
(19) can be used. We note that the space requirements can be further 
reduced by using iterative phase estimation 1315 , but with an increase 
in circuit depth. This might be useful for ion-trap and optical realiza- 
tions but probably not for superconducting qubits. 

We provide explicit quantum circuits for the cases of N = 51 and 
85. In both cases € max = 4 (the largest order is 16), so we require n = 4 
qubits in the first register and m = 4 in the second, for a total of 8 
qubits. This is significantly fewer than the 3b required for general b- 
bit numbers (b = 6 when IV = 51 and b = 7 when N = 85). It is also 
fewer than the 2b + 3 qubits required by Beauregard 3 . 

After the compression discussed above, only four different circuits 
are needed to cover all N = 51 and N = 85 cases, because there are 
four possible orders. The assignments are listed in Tables I and II, 
and the circuits are given in Figs. 3a-d. 

Circuits for the remaining composites 771, 16843009 follow 
from the method described above, and require no more than 2€ max 
qubits. From (19) we find that the total number of qubits required in 
these cases is bounded by 



771 (16), 1285 (18), 4369 (22), 196611 (32), 
327685 (34), 1114129 (38), 16843009 (46). 



(24) 



Table I | N = 51 quantum circuits. The base marked by an aster- 
isk satisfies a r/2 = —1 mod N and will result in a factorization 
failure in the classical post-processing analysis 

base a circuit 

16,35,50* Fig. 3a 

4,13,38,47 Fig. 3b 

2,8,19,25,26,32,43,49 Fig. 3c 

5, 7, 10, 11, 14,20,22,23,28,29,31,37,40,41,44,46 Fig. 3d 

Discussion 

Given the considerable interest in experimental demonstrations of 
Shor's algorithm, it is reasonable to ask what constitutes a "genuine" 
demonstration of this important algorithm, and whether the cases 
presented here should be considered as such. In our opinion a genu- 
ine implementation should use no knowledge of the value of the 
order r — including whether or not it is a power of two — because 
the objective of the quantum stage of the algorithm is to calculate 
r. Therefore we do not regard the factorization of products of Fermat 
primes to be genuine implementations of Shor's algorithm. 
Moreover, such special cases can be efficiently factored classically, 
by comparing N against a list of products of these primes. 

However we do view the circuits presented here as quasi-legit- 
imate implementations of quantum order finding, and in our view 
they are still interesting for this reason. In particular, each eight-qubit 
circuit presented here is able to detect periods of two, four, eight, and 
sixteen, so there are failure modes where an incorrect period could be 
observed. But these genuine order-finding instances are nongeneric 
cases from the perspective of Shor's algorthm. Note that in this work 
we have simplified the modular exponentiation circuits to reduce 
their depth. It is also possible to implement uncompiled versions, 
which do not make any use of the value of r and which would 
constitute a fully genuine implementation of order- finding (but 
not of factoring). The main point of this work, that the number of 
qubits required in the first register is greatly reduced for composites 
in the series (3), applies to either approach. 

Smolin, Smith, and Vargo 16 recently addressed the question of 
what should constitute a genuine factoring demonstration by sim- 
plifying the entire order-finding circuit for any product of distinct 
odd primes down to only two qubits. This is possible by implement- 
ing the phase estimation iteratively 1315 (or the Fourier transform 
semiclassically 17 ), and by choosing only bases a with order two. 
Smolin et al. 16 show that with knowledge of the factors, it is always 
possible to find an order-two base, and they provide an algorithm for 
doing so. The circuit of Smolin et al. does not constitute a genuine 
implementation of Shor's algorithm either. However, the focus of our 
work is different than that of Ref. 16, as the circuits presented here are 
still quasi-legitimate implementations of order finding, and we do 
not make explicit use of the factors in simplifying the circuits. 

Finally, we note that the r = 16 cases (Fig. 3d) result in a uniform 
probability distribution for observing computational basis states \x) 
after measurement of the first register, which would also result from 



Table II | N= 85 quantum circuits. Bases marked by an asterisk satisfy a r/2 = —1 mod Nand result in factorization failures in the classical 
post-processing analysis 



circuit 



16,69,84* Fig. 3a 

4, 13*, 18, 21,33, 38*, 47*, 52, 64, 67, 72*, 81 Fig. 3b 

2, 8, 9, 1 9, 26, 32, 36, 42, 43, 49, 53, 59, 66, 76, 77, 83 Fig. 3c 

3, 6, 7, 1 1 , 1 2, 14, 22, 23, 24, 27, 28, 29, 3 1 , 37, 39, 41 , 44, 46, 48, 54, 56, 57, 58, 61 , 62, 63, 71 , 73, 74, 78, 79, 82 Fig. 3d 
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Figure 3 | Quantum circuits for factoring 5 1 and 85. Note the modification of the input to the last qubit of the second register compared with Fig. 1 . The 
circuits inside dashed boxes are the compressed modular exponentiation operations discussed in the text. Note that the CNOT gates here can be 
executed in parallel. 



an unintended, purely decohering action of the CNOT gates (we 
thank Alexander Korotkov for this observation). One method of 
verifying that the circuit is functioning correctly is to perform tomo- 
graphy on the final state. A simpler method, however, is to change the 



input of the second register from |0)® 4 to 



i+; 
i+: 
i+: 
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Figure 4 | Changing the input states on the second register to verify 
coherent operation of the CNOT gates. 



\®4 



, as shown in Fig. 4. 



If the gates are purely decohering, this will not change the output of 
the first register upon measurement. But if the CNOTs are acting 
ideally, the entire compressed modular exponentation operator now 
acts as the identity [because | +) = 2~ 1/2 (|0) + 1 1)) is an eigenvector of 
the NOT gate] and can be effectively dropped from the circuit, lead- 
ing to an observation of the final state |0000) with unit probability. 

In conclusion, we have shown that the simple and well-studied 
case of factoring N = 15 is the first in a series of cases 



15, 51, 85, 771, 1285, 4269, 



(25) 



that have all orders equal to a power of two and that can be factored 
with fewer resources than that of other products with the same 
number of bits. 



Methods 

The results in Tables I and II are found by classically computing the orders r for all 
bases 1 < a < N satisfying gcd(a, N) = 1 . Cases where a rn = —I mod N lead to a 
failure of Shor's algorithms and are marked by an asterisk. The operation (23) is then 
implemented by a quantum circuit as described above. 
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